Solved

Change Https port for sdm access on Cisco 877

Posted on 2008-09-29
9
1,814 Views
Last Modified: 2012-06-21
Hi there,
I need to change the port number of Https for router access from the normal 443 to another one. I tried the solution given in question ID: 22960394, however i get a "Access denied by access control policy" error. Is there anything else i need to change on the router config? I normally use SDM but cannot see anything  there relating to the https port and it's access.

thanks for your help!
0
Comment
Question by:burny1
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Can you post the router configuration?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Use this command:
ip http secure-port <port>
0
 

Author Comment

by:burny1
Comment Utility
hi there,
i have used the command before. It changes the port number, however the firewall is not allowing any connections. do i need to change an ACL as well somewhere?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
How are you trying to access it using the new port?
https://<ipaddress>:port
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Possibly, what IP are you connecting to the router from and can you post the config?
0
 

Author Comment

by:burny1
Comment Utility
i am trying to access it from the outside on the wan (dailer) interface. Here is the config:

Building configuration...

Current configuration : 17390 bytes
!
! Last configuration change at 16:13:11 PCTime Mon Sep 29 2008 by admin
! NVRAM config last updated at 10:51:14 PCTime Mon Sep 29 2008 by admin
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable secret 5 $.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime 2
!
crypto pki trustpoint TP-self-signed-3722901195
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3722901195
 revocation-check none
 rsakeypair TP-self-signed-3722901195
!
!
crypto pki certificate chain TP-self-signed-3722901195
 certificate self-signed 01
 
        quit
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.69.1 10.1.69.99
!
ip dhcp pool sdm-pool
   import all
   network 10.1.69.0 255.255.255.0
   dns-server 209.203.60.13 196.25.1.1
   default-router 10.1.69.31
   lease 30
!
!
ip port-map user-ezvpn-remote port udp 10000
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name tzo.com
ip name-server 196.41.0.10
ip name-server 196.25.1.9
ip ddns update method sdm_ddns1
 HTTP
  add http://cgi.tzo.com/webclient/signedon.html?TZOName=<h>&=<a>
  remove http://cgi.tzo.com/webclient/signedon.html?TZOName=<h>&Email=&TZOKey=&IPAddress=<a>
!
!
parameter-map type protocol-info msn-servers
 server name messenger.hotmail.com
 server name gateway.messenger.hotmail.com
 server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
 server name login.oscar.aol.com
 server name toc.oscar.aol.com
 server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
 server name scs.msg.yahoo.com
 server name scsa.msg.yahoo.com
 server name scsb.msg.yahoo.com
 server name scsc.msg.yahoo.com
 server name scsd.msg.yahoo.com
 server name cs16.msg.dcn.yahoo.com
 server name cs19.msg.dcn.yahoo.com
 server name cs42.msg.dcn.yahoo.com
 server name cs53.msg.dcn.yahoo.com
 server name cs54.msg.dcn.yahoo.com
 server name ads1.vip.scd.yahoo.com
 server name radio1.launch.vip.dal.yahoo.com
 server name in1.msg.vip.re2.yahoo.com
 server name data1.my.vip.sc5.yahoo.com
 server name address1.pim.vip.mud.yahoo.com
 server name edit.messenger.yahoo.com
 server name messenger.yahoo.com
 server name http.pager.yahoo.com
 server name privacy.yahoo.com
 server name csa.yahoo.com
 server name csb.yahoo.com
 server name csc.yahoo.com

!
!
username  privilege 15
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key  hostname
!
crypto isakmp client configuration group ils2
 key
 dns 209.203.60.13 196.25.1.9
 pool SDM_POOL_1
 acl 102
 save-password
 max-users 10
 netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group ils2
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address initiate
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set security-association idle-time 86400
 set transform-set ESP-3DES-SHA
 set isakmp-profile sdm-ike-profile-1
!
!
!
crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1
 connect auto
 group ils2 key mancheckct01
 mode network-extension
 peer
 virtual-interface 2
 username admin password
 xauth userid mode local
!
!
archive
 log config
  hidekeys
!
!
!
class-map type inspect match-any SDM_HTTPS
 match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
 match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
 match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
 match class-map SDM_HTTPS
 match class-map SDM_SSH
 match class-map SDM_SHELL
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect imap match-any sdm-app-imap
 match  invalid-command
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-all SDM_IP
 match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_REMOTE_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
 match protocol user-ezvpn-remote
class-map type inspect match-all SDM_EASY_VPN_REMOTE_PT
 match class-map SDM_EASY_VPN_REMOTE_TRAFFIC
 match access-group 103
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
 match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any icmp2
 match protocol icmp
class-map type inspect match-all SDM_EASY_VPN_REMOTE_PT0
 match class-map SDM_EASY_VPN_REMOTE_TRAFFIC
 match access-group 104
class-map type inspect ymsgr match-any sdm-app-yahoo-otherservices
 match  service any
class-map type inspect msnmsgr match-any sdm-app-msn-otherservices
 match  service any
class-map type inspect match-all sdm-protocol-pop3
 match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
 match protocol ymsgr yahoo-servers
 match protocol msnmsgr msn-servers
 match protocol aol aol-servers
class-map type inspect aol match-any sdm-app-aol-otherservices
 match  service any
class-map type inspect pop3 match-any sdm-app-pop3
 match  invalid-command
class-map type inspect match-all sdm-access
 match class-map sdm-cls-access
 match access-group 101
class-map type inspect match-any SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any vpn1
 match class-map SDM_GRE
 match protocol pptp
 match protocol l2tp
class-map type inspect http match-any sdm-http-blockparam
 match  request port-misuse im
 match  request port-misuse p2p
 match  req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
 match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect ymsgr match-any sdm-app-yahoo
 match  service text-chat
class-map type inspect msnmsgr match-any sdm-app-msn
 match  service text-chat
class-map type inspect http match-any sdm-app-httpmethods
 match  request method bcopy
 match  request method bdelete
 match  request method bmove
 match  request method bpropfind
 match  request method bproppatch
 match  request method connect
 match  request method copy
 match  request method delete
 match  request method edit
 match  request method getattribute
 match  request method getattributenames
 match  request method getproperties
 match  request method index
 match  request method lock
 match  request method mkcol
 match  request method mkdir
 match  request method move
 match  request method notify
 match  request method options
 match  request method poll
 match  request method propfind
 match  request method proppatch
 match  request method put
 match  request method revadd
 match  request method revlabel
 match  request method revlog
 match  request method revnum
 match  request method save
 match  request method search
 match  request method setattribute
 match  request method startrev
 match  request method stoprev
 match  request method subscribe
 match  request method trace
 match  request method unedit
 match  request method unlock
 match  request method unsubscribe
class-map type inspect match-all sdm-protocol-http
 match protocol http
class-map type inspect http match-any sdm-http-allowparam
 match  request port-misuse tunneling
class-map type inspect match-all sdm-protocol-imap
 match protocol imap
class-map type inspect aol match-any sdm-app-aol
 match  service text-chat
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect http sdm-action-app-http
 class type inspect http sdm-http-blockparam
  log
  reset
 class type inspect http sdm-app-httpmethods
  log
  reset
 class type inspect http sdm-http-allowparam
  log
  allow
 class class-default
policy-map type inspect imap sdm-action-imap
 class type inspect imap sdm-app-imap
  log
 class class-default
policy-map type inspect pop3 sdm-action-pop3
 class type inspect pop3 sdm-app-pop3
  log
 class class-default
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-protocol-http
  inspect
  service-policy http sdm-action-app-http
 class type inspect sdm-protocol-imap
  inspect
  service-policy imap sdm-action-imap
 class type inspect sdm-protocol-pop3
  inspect
  service-policy pop3 sdm-action-pop3
 class type inspect sdm-protocol-im
  inspect
 class type inspect sdm-insp-traffic
  inspect
 class class-default
policy-map type inspect sdm-policy-vpn1
 class type inspect vpn1
  inspect
 class class-default
policy-map type inspect im sdm-action-app-im
 class type inspect aol sdm-app-aol
  log
  allow
 class type inspect msnmsgr sdm-app-msn
  log
  allow
 class type inspect ymsgr sdm-app-yahoo
  log
  allow
 class type inspect aol sdm-app-aol-otherservices
  log
  reset
 class type inspect msnmsgr sdm-app-msn-otherservices
  log
  allow
 class type inspect ymsgr sdm-app-yahoo-otherservices
  log
  allow
 class class-default
policy-map type inspect sdm-permit
 class type inspect SDM_EASY_VPN_SERVER_PT
  pass
 class type inspect SDM_EASY_VPN_REMOTE_PT0
  pass
 class type inspect sdm-access
  inspect
 class class-default
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  inspect
 class type inspect SDM-Voice-permit
  inspect
 class class-default
  drop log
!
zone security ezvpn-zone
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
zone-pair security sdm-zp-out-zone-in-zone source out-zone destination in-zone
 service-policy type inspect sdm-policy-vpn1
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
 ip unnumbered Dialer0
 zone-member security ezvpn-zone
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Virtual-Template2 type tunnel
 no ip address
 tunnel mode ipsec ipv4
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 10.1.69.31 255.255.255.0
 ip mask-reply
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1 inside
!
interface Dialer0
 description $FW_OUTSIDE$
 ip ddns update sdm_ddns1
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname
 ppp chap password 0
 ppp pap sent-username
 crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1
!
router rip
 network 10.0.0.0
 no auto-summary
!
ip local pool SDM_POOL_1 10.1.69.40 10.1.69.50
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 2
!
ip http server
ip http authentication local
ip http secure-server
ip http secure-port 4433
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.1.69.62 32566 interface Dialer0 32566
!
ip access-list extended SDM_AH
 remark SDM_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=1
 permit esp any any
ip access-list extended SDM_GRE
 remark SDM_ACL Category=0
 permit gre any any
ip access-list extended SDM_HTTPS
 remark SDM_ACL Category=1
 permit tcp any any eq 443
ip access-list extended SDM_IP
 remark SDM_ACL Category=1
 permit tcp any any eq 32566 log
 permit ip any any
ip access-list extended SDM_SHELL
 remark SDM_ACL Category=1
 permit tcp any any eq cmd
ip access-list extended SDM_SSH
 remark SDM_ACL Category=1
 permit tcp any any eq 22
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 10.0.0.0 0.255.255.255 any
access-list 103 remark SDM_ACL Category=128
access-list 103 permit ip host <outside ip> any
access-list 104 remark SDM_ACL Category=128
access-list 104 permit ip host <outside ip>any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175040
ntp server 196.25.1.1 source Dialer0 prefer
end
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
Comment Utility
Try adding this:

conf t
ip access-list extended SDM_HTTPS
 permit tcp any any eq 4433
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
I could be wrong, but I don't think you can tell the SDM launcher to open on a port other than 443, can you?
I know you can set the http server to a different port, but then you have to access the SDM in a web browser by typing https://<IP address>:<port>
I think that should work.
0
 

Author Closing Comment

by:burny1
Comment Utility
Thanks a million! That worked just fine. Points to you.
Regards
Burny
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now